Analysis
-
max time kernel
141s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2024 03:13
Behavioral task
behavioral1
Sample
Crypt.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Crypt.exe
Resource
win10v2004-20241007-en
General
-
Target
Crypt.exe
-
Size
19.8MB
-
MD5
ddef08ea0d2d4d3fcb1833864908de42
-
SHA1
300566f50769baab1db9abc1b7bf2fc297489b67
-
SHA256
4998131d9da04240464355e09181f10dc42234fc08f58d710b4d821ea89fc635
-
SHA512
b1c2487fd01c6ad41a91d03c3625e36beee0af5035fddf6f3f66f9335f45c2fcd0c3f3a6857e8f07a643b04479f4a683b8c40cec30138124a360a04cd1eb09b9
-
SSDEEP
393216:0tY/KbHN7xZQNWFCemhZ2YsHFUK2JbInEroXmfEqirRRoYJtNITaZWuNY82HqtYR:082ZQ0FCeiZ2YwUlJkErU0wvxtNLzNYH
Malware Config
Signatures
-
Renames multiple (169) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Loads dropped DLL 31 IoCs
pid Process 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe 4008 Crypt.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyScript = "C:\\Users\\Admin\\AppData\\Local\\Temp\\_MEI48482\\Crypt.py" Crypt.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\background_image.jpg" Crypt.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4848 wrote to memory of 4008 4848 Crypt.exe 88 PID 4848 wrote to memory of 4008 4848 Crypt.exe 88 PID 4008 wrote to memory of 4736 4008 Crypt.exe 91 PID 4008 wrote to memory of 4736 4008 Crypt.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\Crypt.exe"C:\Users\Admin\AppData\Local\Temp\Crypt.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\Crypt.exe"C:\Users\Admin\AppData\Local\Temp\Crypt.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵PID:4736
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5de1aa147948e97ba475d44eec0ef3659
SHA1f556a3aa4571ba75ed49bb969eb2223d891e744a
SHA256d3ff732216cccef72316ab4e71f9d4aca2aa3a4a14b157a87caaa80369aec5d1
SHA5128e210b3e707b0ceb37da653d9bd16363900c35efa1a0d21317d36c301a167a7942793223133705856d78f87da8eeebda1ba40319041b6d6ccb91afe0acc5a442
-
Filesize
1.7MB
MD550006da955dafdc5e1cc50e372e403ed
SHA16830d61e81ee8e9d4250e9378d88384b0cfa152e
SHA256c2d3853d4299da383a2ccd842d7d4faa82746a924d9d5272e8d51e8880bcc509
SHA512ea526336d66d105705b64c967b105e60b078086480b73cc8d64126c33a292c639373585b9c33925f2a6724bc3dc702e208015d0f1f68a51ddbf48a64d8310077
-
Filesize
94KB
MD511d9ac94e8cb17bd23dea89f8e757f18
SHA1d4fb80a512486821ad320c4fd67abcae63005158
SHA256e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e
SHA512aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778
-
Filesize
36KB
MD57667b0883de4667ec87c3b75bed84d84
SHA1e6f6df83e813ed8252614a46a5892c4856df1f58
SHA25604e7ccbdcad7cbaf0ed28692fb08eab832c38aad9071749037ee7a58f45e9d7d
SHA512968cbaafe416a9e398c5bfd8c5825fa813462ae207d17072c035f916742517edc42349a72ab6795199d34ccece259d5f2f63587cfaeb0026c0667632b05c5c74
-
Filesize
84KB
MD5124678d21d4b747ec6f1e77357393dd6
SHA1dbfb53c40d68eba436934b01ebe4f8ee925e1f8e
SHA2569483c4853ca1da3c5b2310dbdd3b835a44df6066620278aa96b2e665c4b4e86b
SHA5122882779b88ed48af1e27c2bc212ddc7e4187d26a28a90655cef98dd44bc07cc93da5bce2442af26d7825639590b1e2b78bf619d50736d67164726a342be348fa
-
Filesize
174KB
MD51d426469974f80f68cffea594560d10b
SHA1a189140cde2f2fd56ac19f22da8e9f6383854aef
SHA256fb759cb37c785bc286f8de4ca4679e887fb3981a74f458449553e0df6956cfa9
SHA512d177b9ce08e002376844b8b8bf7eb51db446675a4a8d01caffe9eab1cf49d6e3f1fc1464a0b967a1a3c940c56a266e315b0b26bb103bf8431f5d2f75a4ccf17b
-
Filesize
123KB
MD57ab242d7c026dad5e5837b4579bd4eda
SHA1b3ff01b8b3da2b3a9c37bfffafc4fb9ee957cc0f
SHA2561548506345d220d68e9089b9a68b42a9d796141eb6236e600283951cb206eaa1
SHA5121dd09cf14c87f60b42e5e56d0104154513902c9bfa23eef76a92f4a96c2356b2812dd6eee5e9a74d5ed078ade5f8f6d1f1b01961d7efadfebb543d71c2d31a30
-
Filesize
267KB
MD5bb70fc3eb76b6801ed7228b6869017b2
SHA1fe76cdf1d8eab706a9e748404c09b8841f13d923
SHA256831e4ce99f469fa94567482444af492891b7bf327853e92dd4bb2ce092021e74
SHA5120c17324718e803c861fc58c4584c8d1421e097f7ef4a23b247f9e2448c1460d2c67eac3ef76da02195a07e2d391a39f0db1d4d8d3ac163ca488f05424e750944
-
Filesize
64KB
MD5ae32a39887d7516223c1e7ffdc3b6911
SHA194b9055c584df9afb291b3917ff3d972b3cd2492
SHA2567936413bc24307f01b90cac2d2cc19f38264d396c1ab8eda180abba2f77162eb
SHA5121f17af61c917fe373f0a40f06ce2b42041447f9e314b2f003b9bd62df87c121467d14ce3f8e778d3447c4869bf381c58600c1e11656ebda6139e6196262ae17e
-
Filesize
159KB
MD5a77c9a75ed7d9f455e896b8fb09b494c
SHA1c85d30bf602d8671f6f446cdaba98de99793e481
SHA2564797aaf192eb56b32ca4febd1fad5be9e01a24e42bf6af2d04fcdf74c8d36fa5
SHA5124d6d93aa0347c49d3f683ee7bc91a3c570c60126c534060654891fad0391321e09b292c9386fb99f6ea2c2eca032889841fce3cab8957bb489760daac6f79e71
-
Filesize
29KB
MD5090756c9d9317a92830e81a0493a1767
SHA146bddb440e049dc8294a6becbd839239df62e31a
SHA256a55c37779772a36bfb5811cc349dcdc2429ef1fbab40fe4cfea9d7fcd23173ab
SHA51219e7cdde87e043bd8e6658fdd6e573bfe6d50f6975d974365a41b8657c46200212ab53bc2e88685ebb4d3b88ee66c0706e07d7d67f16006505f38263dc02af12
-
Filesize
28KB
MD5e64538868d97697d62862b52df32d81b
SHA12279c5430032ad75338bab3aa28eb554ecd4cd45
SHA256b0bd6330c525b4c64d036d29a3733582928e089d99909500e8564ae139459c5f
SHA5128544f5df6d621a5ff2ca26da65b49f57e19c60b4177a678a00a5feb130bf0902f780b707845b5a4dd9f12ddb673b462f77190e71cbe358db385941f0f38e4996
-
Filesize
78KB
MD54b2f1faab9e55a65afa05f407c92cab4
SHA11e5091b09fc0305cf29ec2e715088e7f46ccbbd4
SHA256241db349093604ab25405402ba8c4212016657c7e6a10edd3110abeb1cc2e1ba
SHA51268070db39cd14841bcd49db1acf19806b0aa4b4ac4c56518b3a3baddaac1cd533f0b3ef70a378f53d65c0d6c0f745a6102b63303ea7978c79f688c787efe9cc3
-
Filesize
151KB
MD56f52439450ad38bf940eef2b662e4234
SHA13dea643fac7e10cae16c6976982a626dd59ff64a
SHA25631c95af04a76d3badbdd3970d9b4c6b9a72278e69d0d850a4710f1d9a01618d7
SHA512fdd97e04f4a7b1814c2f904029dfb5cdfcd8a125fce884dcd6fdb09fb8a691963192192f22cf4e9d79dd2598cf097a8764aeec7a79e70a9795250c8ef0024474
-
Filesize
1KB
MD55900f51fd8b5ff75e65594eb7dd50533
SHA12e21300e0bc8a847d0423671b08d3c65761ee172
SHA25614df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0
SHA512ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc
-
Filesize
64KB
MD5cebd6a4f8e0f98e61f4e9fa89520c6b3
SHA1f7726a7680c9968645b7b42bef82a0f0b2ab13e6
SHA256cea57bb0f8c71c526e8bf799c3b53264b2405ed954122498f92e29735dde2901
SHA512907e2eb58143fbfb5f8f3a8e955a97aa78123f9af84f5a03a2f03fdb810b476e6cb0ab29b6e1a99d33d11aae2663a3c24f8832dc89f31fde5813d96662182260
-
Filesize
23KB
MD54b12242f880989cb909246c19616e82f
SHA1df1c6459959b040babf21c2ec2ee765ce6103086
SHA25602e05c2dc07b699fb7e6178526d6f32127e8d9b7aed0720446d186824d4fd1db
SHA5122b3df39d886981fa123420c256a97ce075a4f7c6728a4f0e15615b9b7f3f0bad6cbbf46c4d417afa25ab8cdf50303a1209677827ed4877494cfac8f6494d263e
-
Filesize
828KB
MD5dbd48023446278387bf1766c54681c70
SHA13f765f2b50cf1fb973472bdfb65ca547f61c5322
SHA256090e8bf3cfd95489dde8050a1944dcfd8a040df835ba84103431b286f0c32a69
SHA5120d1cc35f8da6baf2fcea6fb12bf9fa9b2904801b4814ca1cc7903f90a407df3ed87947794146748f2cac8f33b4d600c75f190db9c5c3deea85e2a664c6ed73f1
-
Filesize
292KB
MD550ea156b773e8803f6c1fe712f746cba
SHA12c68212e96605210eddf740291862bdf59398aef
SHA25694edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47
SHA51201ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0
-
Filesize
10KB
MD5d93ad224c10ba644f92232a7b7575e23
SHA14a9abc6292e7434d4b5dd38d18c9c1028564c722
SHA25689268be3cf07b1e3354ddb617cb4fe8d4a37b9a1b474b001db70165ba75cff23
SHA512b7d86ecd5a7372b92eb6c769047b97e9af0f875b2b02cff3e95d3e154ef03d6b9cf39cc3810c5eca9fea38fea6201e26f520da8b9255a35e40d6ec3d73bb4929
-
Filesize
117KB
MD5b5692f504b608be714d5149d35c8c92a
SHA162521c88d619acfff0f5680f3a9b4c043acf9a1d
SHA256969196cd7cade4fe63d17cf103b29f14e85246715b1f7558d86e18410db7bbc0
SHA512364eb2157b821c38bdeed5a0922f595fd4eead18ceab84c8b48f42ea49ae301aabc482d25f064495b458cdcb8bfab5f8001d29a306a6ce1bbb65db41047d8ea5
-
Filesize
3.3MB
MD563c4f445b6998e63a1414f5765c18217
SHA18c1ac1b4290b122e62f706f7434517077974f40e
SHA256664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2
SHA512aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd
-
Filesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
Filesize
678KB
MD5bd857f444ebbf147a8fcd1215efe79fc
SHA11550e0d241c27f41c63f197b1bd669591a20c15b
SHA256b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf
SHA5122b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a
-
Filesize
340KB
MD59d1b8bad0e17e63b9d8e441cdc15baee
SHA10c5a62135b072d1951a9d6806b9eff7aa9c897a3
SHA256d733c23c6a4b21625a4ff07f6562ba882bcbdb0f50826269419d8de0574f88cd
SHA51249e7f6ab825d5047421641ed4618ff6cb2a8d22a8a4ae1bd8f2deefe7987d80c8e0acc72b950d02214f7b41dc4a42df73a7f5742ebc96670d1c5a28c47b97355
-
Filesize
199KB
MD5801d35409fec61ce6852e3540889c9c7
SHA1a3c7e44433ebfef5359d12b9ac2f64782ccff3e9
SHA256ab0814b19fd6b10d2729a907cf449f8a858a42b3f1288fb1c93b62950059295d
SHA512d1f81469d1407b42c7aa207013c79d393ed8f598c9cf1f9d2bf3419ff82c2cd4817a5360d0af963bfd45d28f8adcedeb54701d56b06f4c0f96daa92dfec755d0
-
Filesize
58KB
MD5d188e47657686c51615075f56e7bbb92
SHA198dbd7e213fb63e851b76da018f5e4ae114b1a0c
SHA25684cb29052734ec4ad5d0eac8a9156202a2077ee9bd43cabc68e44ee22a74910a
SHA51296ca8c589ab5db5fde72d35559170e938ce283559b1b964c860629579d6a231e1c1a1952f3d08a8af35d1790228ac8d97140b25b9c96d43f45e3398459ae51bc
-
Filesize
4.3MB
MD57e9d14aa762a46bb5ebac14fbaeaa238
SHA1a5d90a7df9b90bdd8a84d7dc5066e4ea64ceb3d9
SHA256e456ef44b261f895a01efb52d26c7a0c7d7d465b647a7b5592708ebf693f12a3
SHA512280f16348df1c0953bbc6f37ff277485351171d0545ebe469bacd106d907917f87584154aec0f193f37322bc93ac5433cd9a5b5c7f47367176e5a8b19bbd5023
-
Filesize
654KB
MD58d4cd39cf6b1e5d3743ac1bcdcab4f12
SHA12ecfd93164920a60c273b1d000df14351816dbd7
SHA2560789f9321abfa3a6403a483cb3ba684da5cfc39d26195fce8669a77c6367c413
SHA5127734d61b7b2c5f829d05488b26d958b85d0cf87776b91e8a63b58debf5d32db42bc2d203cc5a27ab426672c282bf95b41b8429ee3ea1f0e0d9ca55f9f68e77bd
-
Filesize
131KB
MD5f20fd2e2ac9058a9fd227172f8ff2c12
SHA189eba891352be46581b94a17db7c2ede9a39ab01
SHA25620bde8e50e42f7aabf59106eea238fcc0dece0c6e362c0a7feeb004ab981db8a
SHA51242a86fa192aea7adb4283dc48a323a4f687dad40060ea3ffddcd8fd7670bb535d31a7764706e5c5473da28399fec048ae714a111ee238bb25e1aad03e12078d4
-
Filesize
28KB
MD5f8f5a047b98309d425fd06b3b41b16e4
SHA12a44819409199b47f11d5d022e6bb1d5d1e77aea
SHA2565361da714a61f99136737630d50fa4e975d76f5de75e181af73c5a23a2b49012
SHA512f0a96790fcdabf02b452f5c6b27604f5a10586b4bf759994e6d636cc55335026631fa302e209a53f5e454bea03b958b6d662e0be91fa64ce187a7dc5d35a9aa9
-
Filesize
1.6MB
MD5c0b23815701dbae2a359cb8adb9ae730
SHA15be6736b645ed12e97b9462b77e5a43482673d90
SHA256f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768
SHA512ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725
-
Filesize
1.4MB
MD5fdc8a5d96f9576bd70aa1cadc2f21748
SHA1bae145525a18ce7e5bc69c5f43c6044de7b6e004
SHA2561a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5
SHA512816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c
-
Filesize
1.1MB
MD587f3e3cf017614f58c89c087f63a9c95
SHA10edc1309e514f8a147d62f7e9561172f3b195cd7
SHA256ba6606dcdf1db16a1f0ef94c87adf580bb816105d60cf08bc570b17312a849da
SHA51273f00f44239b2744c37664dbf2b7df9c178a11aa320b9437055901746036003367067f417414382977bf8379df8738c862b69d8d36c6e6aa0b0650833052c85f
-
Filesize
130KB
MD505e4b3b876e5fa6a2b8951f764559623
SHA14ad50f70eef4feaa9d051c2f161fbac8a862a4bc
SHA256a52f8bd28b5b9558cde10333ce452a7d6f338ce1005a2b8451755005868e4a98
SHA5125648306af7c056c9250731b7d5a508664294bbb8ba865f9dc06fd7216adf7b8cc31b1cfbc0175c7f2752680744f6546a1959e7f7d1ec7a8a845f75642ce034d9
-
Filesize
638B
MD5c62387a712bf78615a94cf3802650359
SHA1682e4ef5d4ce4fb1dff001c8fa73ec40e2658132
SHA256d4e1e2b2a482ecddfb6cb80a4688f1a4b60b633ac42f9ce77515d9eb49823fce
SHA512480f12b16a10b4ec1dbe6bbb361da282ca8359de3a03c246bf534f763bb7ec64ae933643a531aa51195708ef5798fd1fc629beede0af3a6edfc6d90b3231d893